JavaScript keylogger sees Vision Direct’s customer data stolen

Contact lens supplier Vision Direct has released information about a data breach it suffered earlier this month.

“Between 12.11am GMT 3rd November 2018 and 12.52pm GMT 8th November, the personal and financial details of some of our customers ordering or updating their information on visionDirect.co.uk was compromised,” said a statement on its website.

It’s not clear how many people are affected, but the compromised data includes:

Full name

Billing address

Email address

Passwords

Telephone number

Payment card information

Card expiry data

CVV

This breach could cause serious harm to those affected. Vision Direct has advised customers who believe they are affected to contact their banks. It claims to have fixed the issue with its website.

How did the breach happen?

Security researcher Troy Mursch posted on Twitter that the attack was carried out via a JavaScript keylogger, which essentially logs what website visitors are typing.

Mursch said the code was a fake Google Analytics script. Google Analytics is used on a significant number of websites, meaning it could be easy to fail to spot an imposter version of it hiding in a website’s code.

Has the breach been reported?

In its statement, Vision Direct says it “has taken the necessary steps to prevent any further data theft, the website is working normally, and we are working with the authorities to investigate how this theft occurred”.

We hope this means the breach has been reported to the ICO (Information Commissioner’s Office). If so, the ICO will investigate and could hand Vision Express a significant fine.